undefined | Better HN

0 pointscosmie7y ago0 comments

This year I happen to work for a client that licenses all of their brand fonts. Licensed and pay-per-use fonts have easily and quickly worked their way up to the top 5 most agitating things to work with.

- They track use by embedding a link to the third party font provider, which does a 302 redirect to a file on your server that requires revalidation every load. So while you host the actual file delivered to the client, you can't optimize away the time added by that needless redirect on every single pageload[1].

- On some clients, invalidating that original link will also invalidate the cache for the destination of the 302 redirect, so the user is forced to truly redownload the font each pageload.

- Automated bot traffic, whether benign, malicious, search engines, or anything at all, becomes very expensive. A flood of scrapers hitting your site shifts from a minor nuisance to a very big deal. Something that your infrastructure can absorb without a hiccup can easily rack up hundreds of thousands of dollars worth of font usage costs. You can put security measures in place to prevent some of this, but at the risk of adding friction to legitimate traffic. And don't wan't to stop legitimate bots like social media crawlers and search engines. So you can either leave the risk open ended or "fail open" where, rather than blocking a visit, you selectively decide when to include the custom font and when not to. Cloudflare's SSE[2] comes in handy for this, combined with dynamic inclusion in the server side code to exclude it from being served to legitimate bots like Googlebot which don't need the custom font. I've also experimented recently with using Cloudflare Workers for handling that process and abstracting it completely from the original site. While Cloudflare Workers also have variable pricing based on usage, it's over an order of magnitude cheaper than the usage-based pricing of the font itself, and well worth the cost.

- Maintaining that added complexity, purely to cap the risk of the pay-per-view pricing model of the font, adds a needless amount of friction to the website management and development process.

[1] https://www.smugmug.com/ is a site that shows this workflow. They load a font file from cloud.typography.com which 302 redirects to the real font file hosted on Smugmug's CDN. While the response is usually fairly quick, I've seen inconsistent response times from the third party providers. And the fact that in some scenarios the must-revalidate flag from the 302 response causes the cache setting from the destination font file to be ignored as well, making it get downloaded every single pageview.

[2] https://support.cloudflare.com/hc/en-us/articles/200170036-W...

0 comments

msla7y ago

> They track use by embedding a link to the third party font provider, which does a 302 redirect to a file on your server that requires revalidation every load.

GDPR, here we come!

> Automated bot traffic, whether benign, malicious, search engines, or anything at all, becomes very expensive. A flood of scrapers hitting your site shifts from a minor nuisance to a very big deal.

As they used to say on the chans: "Oh, exploitable!"

This would be a wonderful way to financially DDoS some organization you just don't like very much.

cosmieOP7y ago

> GDPR, here we come!

I wish I had that card to play! For that specific provider in the example, their ToS explicitly says that, other than your login credentials, they're allowed to do and distribute any and everything they want with any data they collect from the usage of their service[1]. I'd be really curious to see exactly what usage is hiding behind that clause.

> This would be a wonderful way to financially DDoS some organization you just don't like very much.

Right?! It was mind boggling to learn how easily abused of a system it is. Their ToS even states that it's your problem, not theirs, and any call whatsoever to the "CSS key" (the nonexistent font file on their server that redirects to the real file on your server) is and will be charged as a view. You don't even need to hit the site it's embedded in - just hook up to TOR tunnel and throw a curl command to the "CSS Key" URL into an endless loop. And for optional flourish, add fake user-agent, origin, and referrer headers to the curl command. Let it run for a couple hours every week. Since you didn't hit their site, their site analytics never triggered, and they won't know what hit 'em until months later when it reaches a level that warrants finance asking why you blew so far past your budget.

[1] https://www.typography.com/home/cloud-terms.php

tomcam7y ago

Wow. This is one of the most comprehensive and eye-opening posts I’ve ever read on HN. Thank you

cosmieOP7y ago

An unexpected and unexpectedly gratifying compliment. Thank you!

I managed the digital analytics for that particular client, and an overly aggressive WAF[1] was in place to block scraping attempts because they'd been burned by font fees in the past. The WAF's browser challenge was poorly designed and as a side effect it destroyed all referral (and therefore channel attribution) data.

I had to work my way through a lot of layers within a Fortune 500 company, from my marketing client to their global infrastructure team, to get buy in to test out (and eventually switch) to Cloudflare as a much more robust solution to their font concerns[2]. Which also just so happened to correct the referral/channel attribution issue I was seeing[3]. Along the way I picked up a pretty comprehensive understanding of licensed fonts, as I had to use completely different approaches for each department and set of red tape I needed to cut through. Marketing, media buying, procurement, IT all have different ways you have to frame the risks and opportunities, even if they're all the same thing said different ways.

[1] https://en.wikipedia.org/wiki/Web_application_firewall

[2] The font issue was irrelevant to me. But my referral data was irrelevant to IT, and they put the WAF causing my problems in place due to the font issue. So I able to get procurement and IT's blessing by enticing them with the additional cost savings and protection from the Cloudflare-based solution.

[3] I was only able to get to procurement and IT in the first place by having the backing of marketing and media buying, who cared not at all about fonts but greatly about website performance, conversion attribution, and being able to analyze visitors by traffic source.

j / k navigate · click thread line to collapse

0 pointscosmie7y ago0 comments

- On some clients, invalidating that original link will also invalidate the cache for the destination of the 302 redirect, so the user is forced to truly redownload the font each pageload.

- Maintaining that added complexity, purely to cap the risk of the pay-per-view pricing model of the font, adds a needless amount of friction to the website management and development process.

[2] https://support.cloudflare.com/hc/en-us/articles/200170036-W...

0 comments

msla7y ago

> They track use by embedding a link to the third party font provider, which does a 302 redirect to a file on your server that requires revalidation every load.

GDPR, here we come!

> Automated bot traffic, whether benign, malicious, search engines, or anything at all, becomes very expensive. A flood of scrapers hitting your site shifts from a minor nuisance to a very big deal.

As they used to say on the chans: "Oh, exploitable!"

This would be a wonderful way to financially DDoS some organization you just don't like very much.

cosmieOP7y ago

> GDPR, here we come!

> This would be a wonderful way to financially DDoS some organization you just don't like very much.

[1] https://www.typography.com/home/cloud-terms.php

tomcam7y ago

Wow. This is one of the most comprehensive and eye-opening posts I’ve ever read on HN. Thank you

cosmieOP7y ago

An unexpected and unexpectedly gratifying compliment. Thank you!

[1] https://en.wikipedia.org/wiki/Web_application_firewall

j / k navigate · click thread line to collapse